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DETAILED ACTION 

A request for continued examination under 37 CFR 1 .1 14, including tlie fee set fortli in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible 
for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has 
been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 
CFR 1.114. Applicant's submission filed on September 29, 2008 has been entered. New claims 
24-26 have been added. Claims 1-2, 4-8 and 15-26 are pending. 



Response to Arguments 

Applicant's arguments filed 9/29/2008 have been fully considered but they are not 
persuasive. 

With respect to claim 1, applicant argues that the art on record fails to teach analyzing at 
least one association ... to determine whether ARP spoofing occurs, wherein the analyzing is 
based on a time associated with the at least one association." Applicant further argues that, 
there is no rationale for combining Iyer with Rayes to teach the analyzing feature of claim land 
the combination would not enhance the security of the system as recited in the office action. 
Examiner disagrees. 

Examiner would point out that, a suggestion, teaching, or motivation to combine the 
relevant prior art teachings does not have to be found explicitly in the prior art, as the teachings, 
motivation, or suggestion may be implicit from the prior art, as a whole, rather than expressly 
stated in the references. The test for an implicit showing is what the combined teachings, 
knowledge of one of a whole would have suggested to those of ordinary skill in the art. In re 
Kahn . 441 F.3d 977, 988, 78, USPQ2d 1329, 1336 (Fed. Cir. 2006) citing In re Kotzab . 217 F.3d 
1365,1370, 55 USPQ2d 1313 (Fed. Cir. 2000). See also In re Thrift . 298 F. 3d 1357, 1363, 63 
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USPQ2cl 2002, 2008 (Fed. Cir. 2002). These showings by the examiner are an essential part of 
complying with the burden of presenting a prima facie case of obviousness. Note In re Oetiker , 
977 F.2d 1443, 1445, 24 USPQ2d 1443, 1444 (Fed. Cir. 1992). In this case Rayes teaches a 
method for detecting ARP spoofing including, analyzing at least one association in a database 
accessible to the ARP collector to determine whether ARP spoofing occurs, and wherein the at 
least one association includes a MAC address that is identical to the MAC address included in 
the data packet [column 7, line 63 - column 9, line 4]. Furthermore, Iyer teaches detecting 
spoofing including analyzing at least one association, wherein analyzing is based on a time 
associated with the at least one association [paragraph 0093]. One of ordinary skill in the art 
would have been able to modify the teachings of Iyer within the system of Rays in order to 
enhance the security of the system. 

With respect to claim 20, applicant argues that, the art on record fails to teach analyzing 
at least two associations in a database accessible to the ARP collector to determine whether 
ARP spoofing occurs. Examiner disagrees. 

Examiner would point out that, Doyle teaches a method for detecting ARP spoofing 
including, analyzing at least two associations in a database accessible to the ARP collector to 
determine whether ARP spoofing occurs, wherein each of the at least two associations include 
a MAC address that is identical to the MAC address included in the data packet [column 9, lines 
16-29]. Examiner would point out that the art on record teaches the claim limitations and 
therefore the rejection is respectfully maintained. 



Claim Rejections - 35 USC § 103 
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The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or deschbed as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
Invention was made to a person having ordinary skill In the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner In which the Invention was made. 

Claims 1, 2, 4-8, 15-19, 22 and 23 are rejected under 35 U.S.C. 103(a) as being 

unpatentable over Rayes et al. US 7,234,163 B1 (hereinafter Rayes) in view of Iyer et al. US 

2005/0254474 Al (hereinafter Iyer). 

As per claims 1,15 and 22, Rayes teaches a method for detecting ARP spoofing 
including: 

receiving a data packet at an ARP collector, wherein the data packet is generated by a 
first device on the network, and wherein the data packet includes information from an ARP reply 
received at the first device from a second device on the network, the information including a 
MAC address of the second device and an IP address given as a source IP address of the 
second device in the ARP reply [column 7, lines 35-45]; 

analyzing at least one association in a database accessible to the ARP collector to 
determine whether ARP spoofing occurs, and wherein the at least one association includes a 
MAC address that is identical to the MAC address included in the data packet [column 7, line 
63 - column 9, line 4]. 

Rayes is silent on the system, wherein the analyzing is based on a time associated with 
the at least one association. However, Iyer teaches detecting spoofing including analyzing at 
least one association, wherein analyzing is based on a time associated with the at least one 
association [paragraph 0093]. It would have been obvious to one having ordinary skill in the art 
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at the time of applicant's invention to employ the teachings of Iyer within the system of Rayes in 
order to enhance the security of the system. 

As per claims 4, 5 and 16, Rayes further teaches the method wherein the information 
stored in the database includes a MAC address of a device which generated an ARP reply, and 
an IP address given as a source IP address in the ARP reply and a time at which the ARP reply 
was received on the port, and an identification of the port on which the ARP reply was received 
[figure 1, units 160 &170 and column 7, lines 13-21]. 

As per claims 6 and 18, Rayes further teaches the method wherein when it is 
determined that there is a spoofed ARP reply, blocking the port on which the spoofed ARP reply 
was received [column 9, lines 20-42]. 

As per claims 7 and 19, Rayes further teaches the method wherein when it is 
determined that there is a spoofed ARP reply, filtering a MAC address which generated the 
spoofed ARP reply at a port at which the spoofed ARP reply was received [column 9, lines 20- 
43]. 

As per claim 8 and 17, Rayes further teaches the method further comprising: 
transmitting the data packet to the ARP collector and generating an alert when an ARP spoofing 
condition occurs [column 9, lines 6-19]. 

As per claim 23, Rayes further teaches the system wherein said network device is a 
Layer 2 switch [figure 1]. 
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Claim 2 is rejected under 35 U.S.C. 103(a) as being unpatentable over Rayes et al. US 
7,234,163 B1 (hereinafter Rayes) in view of Iyer et al. US 2005/0254474 Al and further in view 
of Gunter et al. US 6,751,728 B1 (hereinafter Gunter). 

As per claim 2, Rayes teaches a method of detecting ARP spoofing as indicated above. 
Rayes is silent on generating the data packet which includes encrypting the data packet. 
However, encrypting data packets is old and well known in the art which has the advantage of 
enhancing security of a system. For example, Gunter teaches transmitting packets, including 
encrypting the transmitted packets [see at least abstract]. It would have been obvious to one 
having ordinary skill in the art at the time of applicant's invention to employ the teachings of 
Gunter within the system of Rayes-lyer in order to enhance security of the system. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351 (a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21 (2) 
of such treaty in the English language. 

Claim 20 is rejected under 35 U.S.C. 102(e) as being anticipated by Doyle US 
7,134,012. 

As per claim 20, Doyle teaches a method for detecting ARP spoofing in a computer 
network, the method comprising: 



Application/Control Number: 1 0/631 ,091 Page 7 

Art Unit: 2435 

receiving a data pacl<et at an ARP collector, wherein the data packet is generated by a 
first device on the networl<, and wherein the data packet includes information from an ARP reply 
received at the first device from a second device on the network, the information including a 
IVIAC address of the second device and an IP address given as a source IP address of the 
second device in the ARP reply [column 9, lines 7-15]; and 

analyzing at least two associations in a database accessible to the ARP collector to 
determine whether ARP spoofing occurs, wherein each of the at least two associations include 
a IVIAC address that is identical to the MAC address included in the data packet [column 9, lines 
16-29]. 

Allowable Subject Matter 

Claims 21 and 24-26 are objected to as being dependent upon a rejected base claim, 
but would be allowable if rewritten in independent form including all of the limitations of the base 
claim and any intervening claims. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to BEEIVINET W. DADA whose telephone number is (571 )272-3847. The 
examiner can normally be reached on Monday - Friday (9:00 am - 5:30 pm). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Y. Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Beemnet W Dada/ 
Examiner, Art Unit 2435 



October 23, 2008 



